help designing proper Work-AppVM VPN support
61 views
Skip to first unread message
onw7two99
Aug 30, 2019, 2:22:23 PM8/30/19
to qubes-users
Hello,
I am using Qubes since a while and I am very satisfied with my setup
which evolved over time. Lots of tweaks and ideas using this forum.
My network setup looks like this:
sys-net* <- sys-vpn* <-sys-mirage-fw** <- [AppVMs]
* = Fedora 30 minimal based custom build sys-vm
** = the Mirage Firewall
sys-vpn has is using the qubes firewall script to connect to a VPN
provider (ExpressVPN or Private Internet Access).
While this is working for my private setup I want to improve my
corporate setup:
I have one "corporate AppVM" which is connecting via VPN (Cisco
Anyconnect using OpenConnect Plugin) to our office. I have enable
Network Manager for this AppVm.
The VPN is working via Network Manager and I can also start the VPN via CLI:
[user@BizAppVM ~] nmcli connection up MyOfficeVPN
where MyOfficeVPN is the name of the VPN Profile. I have also enabled to
save the password for all users in this VPN profile and put in an empty
password keyring phrase, so that I can connect without entering credentials.
The problem is that I want to autoconnect this AppVM to my corporate VPN
automatically on startup.
Approach 1 -> failed.
I tried to enable "Automaticaly connect to VPN" and choosed the VPN
profile in Network Manager settings for the VM uplink eth0.
If I disable and enable the network adapter it will automatically
connect to the VPN. BUT ... this setting does not survice reboots.
After the reboot of the AppVM the setting is disabled again.
Approach 2 -> failed
I then tried to follow the Qubes VPN howto
https://www.qubes-os.org/doc/vpn/ but run into an error, even when
adding the password to my VPN in the text file
My /rw/config/rc.local looks like this:
PWDFILE="/rw/config/NM-system-connections/secrets/passwd-file.txt"
nmcli connection up MyOfficeVPN passwd-file $PWDFILE
and /rw/config/NM-system-connections/secrets/passwd-file.txt contains
vpn.secrets.password:VPNPasswordInClearText
If I run the following commands from the terminal as non-privileged user
the VPN will connect successfully, even with the warning:
[user@WorkAppVM ~]$
PWDFILE="/rw/config/NM-system-connections/secrets/passwd-file.txt"
[user@WorkAppVM ~]$ nmcli connection up MyOfficeVPN passwd-file $PWDFILE
A password is required to connect to MyOfficeVPN'.
Warning: password for 'vpn.secrets.gateway' not given in 'passwd-file'
and nmcli cannot ask without '--ask' option.
Connection successfully activated (D-Bus active path:
/org/freedesktop/NetworkManager/ActiveConnection/5)
If I run the same command as root user in the AppVM I get an error
message and can't connect via VPN.
bash-5.0# nmcli connection up MyOfficeVPN passwd-file $PWDFILE
A password is required to connect to 'MyOfficeVPN'.
Warning: password for 'vpn.secrets.gateway' not given in 'passwd-file'
and nmcli cannot ask witho>
Error: Connection activation failed: No valid secrets
<h0' to get more details.
It seems that the password is not fetched from the text file.
It is only working when launching the vpn via nmcli using the
non-priviliged user terminal, because the password has been saved in the
GUI.
QUESTION:
What is wrong that the password will not be used from the password-file?
Is it because I am using the OpenConnect network manager plugin?
I would love to have my WorkAppVM connected directly upon boot.
I could of course setup a VPN proxy VPn in front of the work appvm but I
would run into the same problem, that I need to be able to autoconnect
to the VPN upon boot, which means that the command nmcli connection up
MyOfficeVPN passwd-file $PWDFILE must work running as root user.
Any help would be great, as I feel lost.
[799]
I am using Qubes since a while and I am very satisfied with my setup
which evolved over time. Lots of tweaks and ideas using this forum.
My network setup looks like this:
sys-net* <- sys-vpn* <-sys-mirage-fw** <- [AppVMs]
* = Fedora 30 minimal based custom build sys-vm
** = the Mirage Firewall
sys-vpn has is using the qubes firewall script to connect to a VPN
provider (ExpressVPN or Private Internet Access).
While this is working for my private setup I want to improve my
corporate setup:
I have one "corporate AppVM" which is connecting via VPN (Cisco
Anyconnect using OpenConnect Plugin) to our office. I have enable
Network Manager for this AppVm.
The VPN is working via Network Manager and I can also start the VPN via CLI:
[user@BizAppVM ~] nmcli connection up MyOfficeVPN
where MyOfficeVPN is the name of the VPN Profile. I have also enabled to
save the password for all users in this VPN profile and put in an empty
password keyring phrase, so that I can connect without entering credentials.
The problem is that I want to autoconnect this AppVM to my corporate VPN
automatically on startup.
Approach 1 -> failed.
I tried to enable "Automaticaly connect to VPN" and choosed the VPN
profile in Network Manager settings for the VM uplink eth0.
If I disable and enable the network adapter it will automatically
connect to the VPN. BUT ... this setting does not survice reboots.
After the reboot of the AppVM the setting is disabled again.
Approach 2 -> failed
I then tried to follow the Qubes VPN howto
https://www.qubes-os.org/doc/vpn/ but run into an error, even when
adding the password to my VPN in the text file
My /rw/config/rc.local looks like this:
PWDFILE="/rw/config/NM-system-connections/secrets/passwd-file.txt"
nmcli connection up MyOfficeVPN passwd-file $PWDFILE
and /rw/config/NM-system-connections/secrets/passwd-file.txt contains
vpn.secrets.password:VPNPasswordInClearText
If I run the following commands from the terminal as non-privileged user
the VPN will connect successfully, even with the warning:
[user@WorkAppVM ~]$
PWDFILE="/rw/config/NM-system-connections/secrets/passwd-file.txt"
[user@WorkAppVM ~]$ nmcli connection up MyOfficeVPN passwd-file $PWDFILE
A password is required to connect to MyOfficeVPN'.
Warning: password for 'vpn.secrets.gateway' not given in 'passwd-file'
and nmcli cannot ask without '--ask' option.
Connection successfully activated (D-Bus active path:
/org/freedesktop/NetworkManager/ActiveConnection/5)
If I run the same command as root user in the AppVM I get an error
message and can't connect via VPN.
bash-5.0# nmcli connection up MyOfficeVPN passwd-file $PWDFILE
A password is required to connect to 'MyOfficeVPN'.
Warning: password for 'vpn.secrets.gateway' not given in 'passwd-file'
and nmcli cannot ask witho>
Error: Connection activation failed: No valid secrets
<h0' to get more details.
It seems that the password is not fetched from the text file.
It is only working when launching the vpn via nmcli using the
non-priviliged user terminal, because the password has been saved in the
GUI.
QUESTION:
What is wrong that the password will not be used from the password-file?
Is it because I am using the OpenConnect network manager plugin?
I would love to have my WorkAppVM connected directly upon boot.
I could of course setup a VPN proxy VPn in front of the work appvm but I
would run into the same problem, that I need to be able to autoconnect
to the VPN upon boot, which means that the command nmcli connection up
MyOfficeVPN passwd-file $PWDFILE must work running as root user.
Any help would be great, as I feel lost.
[799]
awokd
Aug 31, 2019, 2:51:03 PM8/31/19
to qubes...@googlegroups.com
onw7two99:
> [user@WorkAppVM ~]$
> PWDFILE="/rw/config/NM-system-connections/secrets/passwd-file.txt"
so the root environment might not know about it. Try pathing it out in
the nmcli command instead of using an environment variable.
> [user@WorkAppVM ~]$
> PWDFILE="/rw/config/NM-system-connections/secrets/passwd-file.txt"
> If I run the same command as root user in the AppVM I get an error
> message and can't connect via VPN.
>
> bash-5.0# nmcli connection up MyOfficeVPN passwd-file $PWDFILE
> A password is required to connect to 'MyOfficeVPN'.
> Warning: password for 'vpn.secrets.gateway' not given in 'passwd-file'
> and nmcli cannot ask witho>
> Error: Connection activation failed: No valid secrets
> <h0' to get more details.
>
> It seems that the password is not fetched from the text file.
>
> It is only working when launching the vpn via nmcli using the
> non-priviliged user terminal, because the password has been saved in the
> GUI.
>
> QUESTION:
>
> What is wrong that the password will not be used from the password-file?
Could be because $PWDFILE is defined in your regular user environment,
> message and can't connect via VPN.
>
> bash-5.0# nmcli connection up MyOfficeVPN passwd-file $PWDFILE
> A password is required to connect to 'MyOfficeVPN'.
> Warning: password for 'vpn.secrets.gateway' not given in 'passwd-file'
> and nmcli cannot ask witho>
> Error: Connection activation failed: No valid secrets
> <h0' to get more details.
>
> It seems that the password is not fetched from the text file.
>
> It is only working when launching the vpn via nmcli using the
> non-priviliged user terminal, because the password has been saved in the
> GUI.
>
> QUESTION:
>
> What is wrong that the password will not be used from the password-file?
so the root environment might not know about it. Try pathing it out in
the nmcli command instead of using an environment variable.
Reply all
Reply to author
Forward
0 new messages